No one outside the IT department cares about the vulnerability metrics, or they shouldn’t, anyway. They care more about the efficacy of the program. And traditional stats don’t show that.